Virtual cards offer vast opportunities for financial institutions, presenting a safer and more secure alternative to the standard physical credit card. However, virtual cards are not a silver bullet – they too present cybersecurity challenges that, if not properly addressed, can put customers’ information (and money) at risk.

For financial institutions, the ability to provide virtual cards to retail and business customers has vast opportunities for net new business. Alongside the convenience that virtual cards can offer consumers and the competitive advantage that they can offer businesses, this technology offers security benefits. As a whole, using a virtual card is inherently much safer than using a static credit card.

However, like any online technology, virtual cards present certain cybersecurity challenges. While they can offer financial institutions significant advantages, it is critical for these institutions to understand the cybersecurity risks that can affect virtual cards. 

Specifically, the level of safety surrounding the use of a virtual card depends on the level of security provided by the systems that issue and process these cards. To understand the threats that can compromise this level of security, it is important to have a broader understanding of the cybersecurity vulnerabilities and threats that can put consumers’ information (and money) at risk. 

Types of Vulnerabilities and Threats That Can Affect Virtual Cards

Cybersecurity vulnerabilities within systems represent an evolving risk factor for individuals and organizations across the board. For financial institutions that offer virtual cards, the presence of existing and evolving  cybersecurity vulnerabilities within their enterprise can negatively affect the architecture of the issuing systems by creating a window of opportunity for adversaries looking to gain access. Of particular concern are zero-day vulnerabilities – newly discovered vulnerabilities built into a given platform or application for which a patch has yet to be developed (whether or not the platform or application’s developer knows about the vulnerability yet). 

The main objective of threat actors who target systems for issuing virtual cards is to gain access to consumers’ sensitive information, including valuable personally identifiable information (PII), such as financial records or health-related user data. As a result, it is reasonable to assume that they will target the card-issuing infrastructure and any possible vulnerabilities to gain access. After they do so, they can either silently perform reconnaissance or drop their payload in the form of malware to commandeer the system and exfiltrate the customers’ PII. 

This type of attack was seen in the past when chip-and-PIN technology was first introduced. Back then, threat actors employed man-in-the-middle attacks – an approach that allowed them to manipulate a targeted system in order to either fake or bypass the PIN validation process.

More recently, a threat to financial institutions offering virtual cards has been seen in which hackers have targeted the virtual cards in the same way that they would target static cards. These threat actors employed virtual card skimmers to steal customer data during the payment process that takes place during the transaction. They accomplished this by embedding malicious code within the target website and countering the card authorization process.

Looking Forward

Providing virtual cards can offer significant benefits to financial institutions and their customers.  However, the challenges involved in protecting customer data and staying aligned with data privacy regulations grow with the introduction of any technology that increases the threat window for attackers. For institutions providing virtual cards, the concern should be that the systems that generate, process, and govern these cards will increase the overall threat surface on which adversaries will stage targeted attacks, compromise systems, and steal critical data.

Essentially, the challenges faced by systems that offer virtual cards are the same as they are for all systems that financial institutions employ to complete transactions. Adversaries will target vulnerabilities that arise within the supporting infrastructure – in this case, the platforms that issue and process virtual cards – regardless of the processing vehicle used to conduct the transaction. 

And that makes it especially important for financial institutions – whether or not they provide virtual cards – to employ and align with security mandates, frameworks, and solutions that can adequately find system security gaps proactively and early, quickly prioritize vulnerable assets and apply them to security policies, and catch outlying system events that are outside the usual course of business in order to manage the security and data protection challenges they face while ensuring alignment with the data privacy mandates that are required within their jurisdiction.